Why Your New Insider Threat Program Should Create Less Work - Not More

By April Resnick


When you hear the words "insider threat program", do you immediately think of Big Brother looking over your shoulder and trying to catch you doing something wrong? It's a common misconception. The truth is, the new NISPOM Change 2 requirements are in place to help your company decrease the number of false positives that could be flagged as insider threat risks by looking at a combination of multiple points of data, instead of individual events.

One of the main requirements outlined by the new minimum standards is that information originating from different functional areas of an organization is integrated togther in a central location (or "hub") for more robust insider threat risk analysis.

Here are a few ways that your new insider threat program will help to decrease false positives, effectively making less work for everyone involved in investigating potential security violations:

  1. The goal is simply increased awareness. The new standards will not provide you with a profile of who is an insider threat to your firm.  Innocent until proven guilty still applies here, and companies can’t take action against somebody for suspected future behavior. However, the program is designed to look for ongoing indicators of malicious activity. The key here is that it will take into account events that don't seem like a big deal in isolation; walking away from an unlocked workstation, forgetting to submit a foreign contact disclosure for a trip, badging in to a secure area at an odd time, getting into a tiff with a coworker. However, multiple events may begin to form into visible patterns of concerning activity, and your insider threat team will have a better sense of where to target their attention to prevent malicious incidents.

  2. More preventative (and less punitive) action. Your information collection efforts should be intended to highlight patterns and raise red flags. If your team does detect activity that could represent malicious threat, an inquiry should be triggered. If an employee's behavior is highlighted by the insider threat program as suspicious, they must be afforded due process before any repercussions take place. Your company is likely to experience false positives flagged by your information collection efforts, but ensuring a consistent and fair inquiry process will safeguard against false positives.

  3. Leverage your in-house braintrust. The information collected and analyzed by the insider threat team is the same data that cleared individuals have always been required to report (with the exception of the new mandate to track incidents of carelessness and/or negligence). By collecting all of this information in once central hub, the signal to noise ratio for CI, security, HR and other response departments should improve. Instead of relying on each functional area to capture and respond to information relating to their silo, the insider threat program will proactively alert them when there is an incident that requires further investigation. 

The new set of minimum insider threat program standards should reduce the number of false positives that require an investigation, as compared to a more segmented security process that may have been in place before. While they will still occur from time to time, your company will benefit from cross-functional information sharing and a strong and consistent inquiry process to rule out false positives. 

New Call-to-action